Part of the Cobalt Iron blog series
If you’re responsible for keeping your organization’s data protected, resilient, and recoverable, then you know that maintaining a modern backup and recovery operation can feel like a never-ending journey. Technologies evolve, threats multiply, and expectations from leadership and regulators continue to rise. In this environment, compliance has taken on a new role — not as a barrier, but as a strategic force shaping the future of data protection.
The Journey, Revisited
Back in 2019, we published a blog based on the ESG Backup Transformation Maturity Model, a framework developed by Enterprise Strategy Group (ESG) and introduced by analyst Christophe Bertrand. It outlines four progressive stages of data protection:
Between the second and third stages lies what ESG calls the Data Management Chasm. This chasm represents the leap organizations must make to move from traditional backup approaches to intelligent, integrated, and autonomous operations.
Organizations often approach data protection from one of two perspectives. Some focus on cost, thinking about where data lives and how much it costs to store and retrieve. Others focus on opportunity, viewing data as a strategic asset that can drive business value. Increasingly, compliance pressures are encouraging a shift toward the opportunity mindset, where resilience and intelligence become central to the strategy.
Why Compliance Matters More Than Ever
Since that original post, the data protection landscape has evolved. Compliance has become a key factor in helping organizations move beyond legacy systems and cloud adoption toward more advanced, resilient architectures. Regulatory expectations are influencing how businesses approach data protection, encouraging a shift from reactive practices to proactive strategies.
Frameworks such as the Digital Operational Resilience Act (DORA) and the NIS2 directive are reshaping how organizations prepare for and respond to disruption. These mandates require businesses to maintain continuity, recover quickly, and report incidents with precision. As a result, compliance is influencing not just policy, but architecture — driving the adoption of more robust and integrated data protection solutions.
Meeting these requirements involves more than updating documentation. Organizations must implement effective risk management, develop incident response plans, monitor third-party dependencies, and maintain continuous oversight of their data environments. These efforts contribute directly to greater resilience and operational maturity. This shift also means elevating data protection from a technical concern to a strategic priority — one that demands executive engagement and cross-functional collaboration.
Introducing the Data Resilience Maturity Model
To help organizations benchmark their progress, Veeam and McKinsey developed the Data Resilience Maturity Model (DRMM) through extensive research involving over 500 enterprise executives and 50 C-level interviews. This model defines four levels of maturity:
Research reveals that 74% of enterprises fall into the lower two maturity horizons, highlighting a critical gap in organizational resilience. This disparity becomes particularly evident in recovery capabilities, where only 50% of organizations currently meet their recovery time objectives (RTOs) during actual disruptions.
That's a concern, but it's also an opportunity. Compliance is helping organizations climb the ladder by enforcing measurable standards and accountability. Organizations that achieve best-in-class status demonstrate remarkable improvements, including seven times faster recovery times and four times less data loss. These efforts are not only improving technical capabilities but also building trust across the enterprise.
Operational Resilience Starts at the Top
One of the most significant changes in recent years is the shift in accountability. Regulatory bodies are holding executives responsible for failures in resilience. Under DORA and NIS2, leadership teams must ensure their organizations meet strict standards or face personal consequences. This shift is prompting greater engagement from the boardroom and elevating data protection to a strategic priority.
To meet these expectations, organizations must quantify risk in terms that resonate with decision-makers — such as downtime, financial penalties, and reputational impact. They also need to understand the lifecycle of their data, making informed decisions about retention and deletion. Building a culture of resilience across departments, from legal and communications to IT and operations, is essential.
Cobalt Iron Compass: Built for Compliance-Driven Resilience
At Cobalt Iron, we’ve designed our Compass® platform to support organizations at every stage of the maturity journey. Compass automates updates across the backup landscape including operating systems and storage, reducing the burden on IT teams. It includes a unique Zero Access® architecture as well as Compass Cyber Shield® security features such as encryption, air-gapping, and threat monitoring — all integrated into the platform.
Compass also delivers backup as a service, providing deep analytics and metadata insights that support auditability and regulatory reporting. Further, the Compass Approval Framework provides an automated foundation for compliance while maintaining proper controls and data governance. For organizations advancing toward autonomous operations, Compass offers intelligent optimization powered by AI. As highlighted in the webinar, Compass plays a pivotal role in helping organizations cross the Data Management Chasm. Through built-in security, orchestration, automation, and analytics, Compass enables a seamless transition from cloud-enabled operations to intelligent and autonomous data protection.
Where Are You on the Journey?
Every organization is somewhere on the path to data resilience. Some are still navigating legacy environments, while others are adopting cloud technologies or integrating orchestration tools. A few are exploring AI-driven automation but typically still with fragmented products. Most enterprises still operate within the Legacy or Cloud-Enabled stages, and that’s perfectly valid if those approaches meet current business needs. The key is to ensure that your strategy is intentional and aligned with long-term resilience goals.
Mapping your future can help clarify your strategy and reduce uncertainty. With compliance now influencing every aspect of data protection, it’s more important than ever to have a clear direction. And with the right tools and mindset, your organization can build a resilient, secure, and future-ready data protection strategy.
Compliance requirements are reshaping data protection – are you ready? Click here to read how Compass transformed data protection for IBM’s Office of the CIO